Cybersecurity Maturity Model Certification – CMMC
What is the CMMC?
The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S) has been working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop a new requirement for existing DoD contractors, replacing the current self-attestation model.
The new model released by the Department of Defense (DoD) is the Cybersecurity Maturity Model Certification (CMMC). The intent of the CMMC is to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on the Defense Industrial Base (DIB).
The DoD is planning to migrate to the new CMMC framework in 2020. The CMMC will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI resources, including online training to better understand CUI can be found on National Archives’ website.
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. The CMMC encompasses multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”.
Why the DoD Created The CMMC
The introduction of the CMMC is the latest step by the Department of Defense (DoD) to mandate that private DoD Contractors adopt cybersecurity standards and practices as part of the government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector.
Highlights of the CMMC
- A single standard used across all DoD contracts starting in 2020-2021
- The required CMMC level will be contained in RFP sections L & M starting midyear 2020
- All DoD Contractors will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. This will be a “go/no-go” requirement for any organization who wants to hold contracts with the Department of Defense.
- Self-certification is not allowed. A certified independent 3rd party organization will conduct the audit.
- The CMMC consists of 5 levels from basic hygiene (Level 1) to advanced (Level 5). Most RFPs are expected to require a Level 1 to Level 3 certification.
- The certification cost has not yet been determined. The cost, and associated assessment will likely scale with the level requested.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
Summary of CMMC Levels
The CMMC model consists of 17 domains. The majority of these CMMC domains originated from the Federal Information Processing Standard (FIPS) and the NIST SP 800-171.
What you need to know
Even if your organization does not handle Controlled Unclassified Information (CUI), all companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.
- The government will determine the appropriate tier of certification for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP).
- All DoD Contractors will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business.
- There is no self-certification. Certifications will only be credited through CMMC Audits.
- Your company will coordinate directly with an accredited and independent third-party commercial certification organization to perform the CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements.
- Certification will be awarded at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
- The certification cost has not yet been determined. The cost and associated assessment will likely scale with the level requested. The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.
- Your certification level will be made public; however, details regarding specific findings will not be publicly accessible. The DoD will see your certification level.
- The duration of a certification is still under consideration.
- If your company is certified and your company is compromised, you will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.
- Engage a partner like PamTen to assist with pre-certification readiness. We’ll partner with you to determine your high-level maturity level, establish hygiene best practices, and implement a cybersecurity program to prepare your organization. Contact us now to learn how PamTen can help.
Version 0.7 of the CMMC framework was released on December 6th, 2019. This version includes CMMC Levels 1-5 as well as the associated discussion and clarification for a subset of practices and processes. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information. The initial implementation of the CMMC will only be within the DoD.
- September 5, 2019 – CMMC version v0.4 released
- October 10, 2019 – CMMC Accreditation Body RFI
- November 8, 2019 – CMMC version v0.6 released
- November 19, 2019 – Accreditation Body kickoff meeting held
- December 4, 2019 – Accreditation Body follow-up meeting held
- December 6, 2019 – CMMC version v0.7 released
- Early 2020 – Begin developing oversight and certifier accreditation program, processes.
- Mid 2020 – Test the certification program and revise it.
- Mid/late 2020 – Accredit third-party certifiers.
- Mid 2020 – CMMC requirements will be in Requests for Information (RFI’s)
- Late 2020 – DoD contractors will need to be certified to bid on Requests for Proposal (RFP’s).
- Understanding CUI – https://www.archives.gov/cui/training.html
- “Securing the Supply Chain” – DoD PowerPoint https://www.ndia.org/-/media/sites/policy-issues/cmmc-brief—5-jun-19.ashx?la=en
- CMMC website – https://www.acq.osd.mil/cmmc/index.html
- CMMC FAQs – https://www.acq.osd.mil/cmmc/faq.html
- Link to Official CMMC draft v0.7 page – https://www.acq.osd.mil/cmmc/docs/CMMC_Version0.7_UpdatedCompiledDeliverable_20191209.pdf